The EU General Data Protection Regulation (or GDPR) is a topic that is on many security and compliance persons minds right now, and for good reason. It comes in to affect in a little over two month’s time and will significantly alter the way organisations think about, and manage, the data they hold.
I won’t go into the details of what those requirements are, but Article 5 focuses on the processing of personal data and the 6 key principles which are:
- Lawful, fair and transparent;
- Purpose limitation;
- Data minimization;
- Storage limitation;
- Integrity and confidentiality.
These principles can be boiled down as: only store what you need, for as long as you need it, ensure it is accurate and only accessible to the people that need it.
EU GDPR and Technology
The EU GDPR also talks about using appropriate technology. In fact, within the body of the GDPR the phrase “technical and organisational measures” appears a whopping 18 times with the word ‘technical’ appearing roughly 40 times. This is significant as organisations will need to be able to clearly demonstrate that they have appropriate controls, tools or systems in place. This all relates only to information about ‘natural person’ being appropriately protected, but that relies on knowing where the data is and then, how do you protect it? Those are two distinct questions and two distinct tasks, with the first part being about finding the data. Whilst looking for information about people, why not use the opportunity to locate other sensitive data or information (such as Intellectual Property) and put the necessary controls around that too?
If you are thinking about any kind of EU GDPR programme, or if you’ve already started one, most people agree that the start point is to perform a data audit and map any data flows. Knowing how data comes in to and flows out of, the organisation can be a real help when working out what’s important.
However, performing data discovery can be a real challenge, especially in this modern era where more and more people work remotely and where mobile users store documents on servers, in applications, in the cloud (and in applications in the cloud), on their laptops or even on their smartphones. This is being compounded by the amount of data being generated and stored, including emails and logs files.
Fortunately, there are tools around that help automate this task. Typically, a combination of tools will be required to perform the function properly, including a cloud access security broker (CASB) and Data Loss Prevention (DLP) solution. Together, these will help identify where that data is stored (be that on-premise, local device or in the cloud), who’s using (and potentially sharing) it and, perhaps most importantly, what that data is (via data classification). Data classification needs to go beyond just looking at file types and focus on the content of the file, regardless of file type (document, presentation, spreadsheet). It should pick up personal, health and financial information and, ideally, anything which is specific to your company or industry which could be considered as Intellectual Property (IP).
Once identified it will then be much easier, and more cost effective, to build controls around only the critical or sensitive data that needs it. The data discovery tool should allow a review of users’ access and rights and any other network controls. It should provide access to detailed audit logs and permission reports showing past and current activity so that informed decisions can be made and any issues remediated.
Finding the right solution for discovery can be difficult since it is often part of another product. Data Classification companies, such as (Boldon James, Digital Guardian, Titus and others), have products with some element of discovery built in, as do CASB providers (Forcepoint, Skyhigh, Netskope etc.) and DLP solution providers (such as Forcepoint, Trend Micro, Symantec and more).
Implementation should be planned carefully and reviewed regularly to ensure success. Partnering with a company or service provider that has multiple products or suppliers in their portfolio and who understands your environment will help guide you through the process and ensure you choose the right solution.